Cortex LogoCortex Charts
Version: 0.5.6

AWS EKS Prerequisites

This page outlines the prerequisite requirements for deploying Cortex DCI on a Kubernetes/EKS cluster using the "helm-only" deployment model.

For help with deploying your EKS cluster please refer to Amazon's documentation for EKS Kubernetes instantiation.

Basic Installation Prerequisites

  • AWS subscription (Account ID)
  • Valid SMTP credentials
  • Domain name
  • Cortex license and account name
    • JWT and key for "docsToken"
  • SSL certificate and any intermediate certificate with associated private key files signed by a trusted CA
  • Utilities:
    • aws-cli
    • kubectl
    • k9s
    • helm
    • jq

AWS Services

Cluster preparation is performed by a client-user with Sys Admin permissions and keys to their AWS account. This user must have access to the following Services mentioned below.

IAM Roles

  • 3 Roles with the following policies attached to them must be provisioned.
    • <rolename>-cluster: This Role will be required while creating the cluster. This role should have the following IAM policies attached to it namely.
    • <rolename>-bastion: This Role will be assigned to the bastion hosts and will have admin privileges to the cluster. This role will have an inline policy attached to it.
      {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": "eks:*",
                    "Resource": "arn:aws:CLUSTER-ARN"
                }
            ]
        }
    • <rolename>-worker: This role will be assigned to the workers so that the workers are able to connect to the EKS cluster/master. The following policies are needed in order for our workers to connect to the master:

Network

VPC

  • The EKS cluster utilizes a VPC with an assigned /16 IPv4 CIDR block that can be subnetted into a network infrastructure that supports both public and private facing subnets.

  • The public subnets will be utilized to provide a subnet for both Internet-facing load balancers as well as NAT gateways.

  • For EKS/Kubernetes to properly identify the VPC, it must be tagged with the following to be discovered:

    KeyValue
    kubernetes.io/cluster/<cluster_name>shared

Subnets

  • DCI EKS requires that /22 IPv4 CIDR subnets are in a minimum of three (3) Availability Zones within the same Region.

  • For EKS/Kubernetes to properly identify any subnets they must be tagged with the following to be discovered:

    KeyValue
    kubernetes.io/cluster/<cluster_name>shared

  • For EKS/Kubernetes to properly identify any public subnets allowing them to be used for external load balancers they must be tagged with the following:

    KeyValue
    kubernetes.io/role/elb1

Internet and NAT Gateway

To grant Internet access for the worker nodes in any of the private subnets a NAT gateway must be deployed in the public subnet with Internet routing handled by an Internet gateway.

EKS Cluster

EKS Worker Nodes

Launch Config

EKS worker node launch configuration that utilizes the following AMI and worker node minimum instance size m5.xlarge and a minimum root volume size of 50Gb:

AMI IDAMI Name
ami-0e380e0a62d368837amazon-eks-node-1.12-v20190701

Auto Scaling Group

An Auto Scaling Group using the previously defined Launch Config and the following profile:

InstancesMinMaxAvailability Zones
4410Same as subnets

SSL Certificates

  • Permissions to create a Load Balancer and configure target groups
  • After creating a load balancer, create and provide cert and keys
  • Provide five (5) targets to the base domain:
    • console.<cluster-name>.base-domain.
    • api.<cluster-name>.base-domain.
    • docs.<cluster-name>.base-domain.
    • marketplace.<cluster-name>.base-domain.
    • private-registry.<cluster-name>.base-domain.

Access to the Cluster.

Provide admin EKS permissions to CognitiveScale for access to the cluster.

Optional External Databases

Mongo cluster

  • Connection string with username/password for Cortex install
  • 3 databases in the cluster
    • cortex-admin
    • cortex-graph
    • cortex-metrics

Redis cluster

Connection string with username/password for Cortex install

Rabbit cluster

Connection string with username/password for Cortex install

Postgres/RDS cluster

Connection string with username/password for Cortex install

elasticCache cluster

  • Connection string with username/password for Cortex install OR
  • Cluster API endpoint